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DETAILED ACTION 



1. 



Claims 1-11, 13, 15-17, 19-21 are pending. 



2. 



Amendment filed 04/27/2006 has been received and 



considered. 



Claim Rejections - 35 VSC § 103 



3. The following is a quotation of 35 U.S.C. 103(a) which 
forms the basis for all obviousness rejections set forth in this 
Office action: 

(a) A patent may not be obtained though the invention is not identically 
disclosed or described as set forth in section 102 of this title, if the 
differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at 
the time the invention was made to a person having ordinary skill in the 
art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

4. Claims 1-2, 10-21 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over I'Anson et al (EPO 0474932), further in 
view of Sweitzer et al (US 6535551), and further in view of 
Shanklin et al (US 6487666) . 

As per claims 1, and 19-21, I'Anson discloses identifying 
at least two valid states associated with the network protocol 
in which a first host system communicating with a second host 
system using the network protocol may be placed; defining at 
least one valid transition between a first state of the at least 



two valid states and a second state of the at least two valid 



Application/Control Number: 09/964,272 Page 
Art Unit: 2137 

states; determining that a connection under the network protocol 
is in the first state; analyzing the stream based at least in 
part on the determination that the connection under the network 
protocol is in a first state to determine whether the packet is 
associated with the at least one valid transition (see p. 3 
lines 22-39 and p. 4 lines 27-49) . 

I'Anson fails to disclose defining an invalid state 
associated with the network protocol and expressing the at least 
one valid transition and the invalid transition in the form of a 
regular expression and using the regular expression to analyze 
the network protocol stream. 

However, Sweitzer et al teaches the use of an invalid state 
(see column 9 line 63 through column 10 line 23) and Shanklin et 
al teaches the use of regular expressions (see column 6 lines 
39-57) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use the invalid state 
of Sweitzer et al and Shanklin et al's regular expressions to 
analyze the protocol of I'Anson. 

Motivation to do so would have been to handle errors and to 
recognize and evaluate identifiers, special symbols, or other 
tokens . 
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As per claim 2, the modified I'Anson, Shanklin et al and 
Sweitzer et al system discloses compiling the regular expression 
into computer code (see Shanklin et al column 6 lines 39-57) . 

As per claims 10-11, the modified I'Anson, Shanklin et al 
and Sweitzer et al system discloses keeping track of which of 
the at least two states the first host system currently is in 
and changing the tracked state of the first host system from the 
first of the at least two states to the second of the at least 
two states in the event the analysis of the network protocol 
stream indicates the at least one valid transition has taken 
place (see I'Anson p. 4 lines 27-49) . 

As per claim 13, the modified I'Anson, Shanklin et al and 
Sweitzer et al system discloses the invalid transition indicates 
that a security-related event has taken or is taking place and 
defining a further state corresponding to the invalid operation 
(see p. 4 lines 18-26 where the security related event is the 
intrusion of Shanklin et al as applied with Sweitzer) . 

As per claims 15-17, the modified I'Anson, Shanklin et al 
and Sweitzer et al system discloses keeping track of which 
state, from the set comprising the at least two states and the 
further state, the first host system currently is in; and 
changing the state of the first host system to the further state 
in the event that the analysis of the network protocol stream 
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indicates the invalid operation has taken place and in the event 
that the analysis of the network protocol stream indicates the 
invalid operation has taken place, an indication that the 
invalid operation has taken place then discontinuing analysis of 
the network protocol stream once the state of the first host 
system has been changed to the further state (see I'Anson page 
4) . 

5. Claims 3-4 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Shanklin et al and 
Sweitzer et al system as applied to claim 2 above, and further 
in view of Wijendran (AWK-to-C Translator) . 

As per claims 3-4, the modified I'Anson, Shanklin et al and 
Sweitzer et al system fails to disclose the use of optimal C 
programming language code. 

However, Wijendran teaches this optical C code (see page 

1) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Wijendran' s optical 
C code in the modified I'Anson, Shanklin et al and Sweitzer et 
al system. 

Motivation to do so would have been to maximize runtime 
performance (see page 1) . 
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6. Claim 5 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I' Anson, Shanklin et al and 
Sweitzer et al system as applied to claim 2 above, and further 
in view of Mangione-Smith (How many vector registers are 
useful? ) . 

As per claim 5, the modified I'Anson, Shanklin et al and 
Sweitzer et al system fails to disclose the use of nearly 
optimal computer code. 

However, Mangione-Smith teaches nearly optical code (see 
page 1) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Mangione-Smith' s 
nearly optical code in the modified I'Anson, Shanklin et al and 
Sweitzer et al system. 

Motivation to do so would have been that nearly optimal 
code requires less vector registers (see page 1) . 

7. Claims 6-9 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over t the modified I'Anson, Shanklin et al and 
Sweitzer et al system as applied to claim 1 above, and further 
in view of Blam (US 6467041) . 

As per claim 6, the modified I'Anson, Shanklin et al and 
Sweitzer et al system fails to disclose copying the stream to a 
third party to be analyzed. 
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However, Blam teaches a third party analyzer (see column 6 
lines 5-29) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Blam's third party 
analyzer to analyze the protocol analyzer of the modified 
I'Anson, Shanklin et al and Sweitzer et al system. 

Motivation to do so would have been to perform the analysis 
regardless of what resources are on the network or client (see 
column 6 lines 5-29) . 

As per claims 7-9, the modified I'Anson, Shanklin et al, 
Sweitzer et al, and Blam system discloses the network protocol 
stream comprises packets of data, each packet being associated 
with a sequence number indicating its position relative to other 
packets in the protocol stream, and the third system reassembles 
the packets into the order indicated by the respective sequence 
numbers of the packets received where a copy of the network 
protocol stream is maintained in the third system until analysis 
has been completed and in the event the packets are received by 
the third system in sequence number order, a copy is maintained 
in the third system only of those packets comprising the portion 
of the network protocol currently under analysis (see I'Anson 
pages 4-5 and Blam column 6 lines 5-29) . 
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Response to Arguments 

8. Applicant's arguments filed 04/27/2006 have been fully 
considered but they are not persuasive. Applicant argues: 
Neither Sweitzer, nor I 'Anson, nor Shanklin either singly or in 
combination teaches "expressing as a second regular expression 
an invalid transition from the first state to the invalid 
state", and "applying to a received packet associated with the 
connection: the first regular expression to determine whether 
the packet is associated with the at least one valid transition 
and the second regular expression to determine whether the 
packet is associated with the invalid transition" and there is 
no suggestion or motivation in the references to combine 
Sweitzer' s state machine with I 'Anson's protocol analyzer and 
Shanklin' s intrusion detection signature analysis. 

With respect to Applicant's argument that neither Sweitzer 
nor I 'Anson, nor Shanklin either singly or in combination 
teaches "expressing as a second regular expression an invalid 
transition from the first state to the invalid state" and 
"applying to a received packet associated with the connection: 
the first regular expression to determine whether the packet is 
associated with the at least one valid transition, and the 
second regular expression to determine whether the packet is 
associated with the invalid transition", Sweitzer teaches a 
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transition from a first state to an invalid state as described 
in column 9 line 63 through column 10 line 23 and I 'Anson 
teaches a valid transition between a first and second state. 
Shanklin teaches the use of regular expressions for recognizing 
and evaluating information (see column 6 lines 39-57) . 
Therefore when combined with the motivation given above the 
modified system teaches expressing as a second regular 
expression an invalid transition from the first state to the 
invalid state and applying to a received packet associated with 
the connection: the first regular expression to determine 
whether the packet is associated with the at least one valid 
transition, and the second regular expression to determine 
whether the packet is associated with the invalid transition. 

With respect to Applicants argument that there is no 
suggestion or motivation in the references to combine Sweitzer's 
state machine with I 'Anson's protocol analyzer and Shanklin 's 
intrusion detection signature analysis, each of the above 
identified references relate to monitoring data in a network. 
I'Anson and Sweitzer each use a state machine to determine how 
to process the received information, while Shanklin uses regular 
expressions, which represent an internal state machine (see 
column 6 lines 50-53), to analyze traffic. Therefore each 
reference relates to analyzing network traffic. Furthermore, 
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Sweitzer teaches the motivation to define an invalid transition 
as a way to handle errors in the system by placing the system in 
an error state (see column 10 lines 7-12), while Shanklin 
teaches the motivation to use regular expression for analysis as 
the ability to recognize and evaluate identifiers, special 
symbols, or other tokens. Therefore, motivation exists to 
combine the references. 

Conclusion 

9. THIS ACTION IS MADE FINAL. Applicant is reminded of the 
extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action 
is set to expire THREE MONTHS from the mailing date of this 
action. In the event a first reply is filed within TWO MONTHS 
of the mailing date of this final action and the advisory action 
is not mailed until after the end of the THREE-MONTH shortened 
statutory period, then the shortened statutory period will 
expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated 
from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than 
SIX MONTHS from the mailing date of this final action. 
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Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Michael 
Pyzocha whose telephone number is (571) 272-3875. The examiner 
can normally be reached on 7:00am - 4:30pm first Fridays of the 
bi-week off. 

If attempts to reach the examiner by telephone are 
unsuccessful, the examiner's supervisor, Emmanuel Moise can be 
reached on (571) 272-38655. The fax phone number for the 
organization where this application or proceeding is assigned is 
703-872-9306. 

Information regarding the status of an application may be 
obtained from the Patent Application Information Retrieval 
(PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free) . 



EMMANUEif L. MOISE 
SUPERVISORY PATENT EXAMINER 



